FileVault or VileFault?

Deconstructing FileVault was a subject of discussion at a recent hackers …

Among the topics discussed at the 23rd Chaos Communication Congress was FileVault, the encryption technology in OS X which might be described as "security for the rest of us." Apple touts FileVault as both secure and easy to use, requiring only a password and activation in the Security Preference Pane. Of course, what's not said about FileVault, both in terms of how it works and potential issues, is less accessible.

At 23C3, the "Unlocking FileVault" session analyzed FileVault, including possible methods of compromising the disk storage system. For those who don't know, FileVault functions by creating a sparse image of the Home directory and encrypting it using AES and 128-bit keys. Marko's blog, of Marko Karppinen & Co. LLC, makers of Knox, hits the high points of the conference, which can also be found in a PDF document that was obviously not produced with Keynote, along with tools for "analyzing" FileVault.

In addition to the AES-128 algorithm, the system relies on the 3DES and, if you use a master password, the RSA-1024 algorithms. Triple-DES is effectively 112 bit, and the RSA-1024 is a rough equivalent to a 72-bit symmetric encryption (according to Lenstra-Verheul heuristics).

If I'm not mistaken—and being an AOLperson that is always a possibility—you don't actually have the 149 trillion years of protection that Apple's hyperbole-loving marketing department tosses out there blithely. Nonetheless, it appears that the conclusion at 23C3 is that FileVault is relatively secure, provided it is used correctly. This would include using secure virtual memory and disabling "safe sleep" for now. Besides that, it appears the biggest vulnerability of FileVault comes from poor password choice, a glossary being the best attack vector.

Of course, whether or not it's a good idea to base encryption on a technology vulnerable to the inelegant dismounting of a disk image, such as during a power outage, is another discussion, one best had with a UPS and battery backup.